CVE-2020-4072

In generator-jhipster-kotlin version 1.6.0 log entries are created for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forge log entries. This is vulnerable to https://cwe.mitre.org/data/definitions/117.html This problem affects only application generated with jwt or session authentication. Applications using oauth are not vulnerable. This issue has been fixed in version 1.7.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
GitHub_MCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
VendorProductVersion
jhipstergenerator-jhipster-kotlin
𝑥
< 1.7.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/jhipster/jhipster-kotlin/commit/426ccab85e7e0da562643200637b99b6a2a99449
https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-pfxf-wh96-fvjc
https://owasp.org/www-community/attacks/Log_Injection
https://www.baeldung.com/jvm-log-forging
https://github.com/jhipster/jhipster-kotlin/commit/426ccab85e7e0da562643200637b99b6a2a99449
https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-pfxf-wh96-fvjc
https://owasp.org/www-community/attacks/Log_Injection
https://www.baeldung.com/jvm-log-forging